Brim (zui) | Notion

Data Exploration

List unique log types (paths)

| cut _path | sort | uniq -c | sort -r

View sample events

select * from logs | head 10

Cutting & Filtering Fields

Purpose	Query
Search a value (IP, string)	`10.0.0.1`
Filter by log type	`_path == "conn"`
Filter by a specific field	`id.orig_h == 192.168.121.40`
Logical operators	`192 and NTP`

Basic field selection & dedup

_path == "conn"              # Connection logs
| cut id.orig_h, id.resp_h      # Show source & dest IP
| sort                          # Sort values alphabetically
| uniq -c | sort -r             # Count & rank unique pairs

Unique Connection & Frequency Queries

Unique network connections

_path == "conn"
| cut id.orig_h, id.resp_p, id.resp_h
| sort
| uniq

Unique DNS query counts

_path == "dns"
| count() by query
| sort -r

HTTP methods & URIs

_path == "http"
| cut id.orig_h, id.resp_h, id.resp_p, method, host, uri
| uniq -c | sort -r